Linux is more secure --NOT!

Linux is more secure --NOT!

Post by Peter ColonM » Sat, 22 Mar 2003 16:00:19



-- Security Alert Consensus --
                       Number 011 (03.11)
                  Thursday, March 20, 2003
                       Created for you by
            Network Computing and the SANS Institute
                      Powered by Neohapsis

----------------------------------------------------------------------

Welcome to the latest edition of Security Alert Consensus! Below
you should find information pertaining only to the categories you
requested. Information on how to manage your subscription can be found
at the bottom of the newsletter. If you have any problems or questions,

-- Security Alert Consensus Team

************************************************************************

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

TABLE OF CONTENTS:

{03.11.008} Win - MS03-007: IIS WebDAV URL overflow
{03.11.023} Win - McAfee ePolicy Orchestrator agent format string
            vulnerability
{03.11.001} Linux - Update {03.09.004}: tcpdump ISAKMP DoS
{03.11.002} Linux - Update {03.10.013}: lprm local buffer overflow
{03.11.003} Linux - Update {03.09.018}: file utility local overflow
{03.11.005} Linux - Linux 2.2/2.4 ptrace vulnerability
{03.11.006} Linux - Update {03.08.017}: Terminal escape sequence
            vulnerabilities
{03.11.007} Linux - Update {03.09.017}: NetPBM multiple vulnerabilities
{03.11.015} Linux - Update {03.10.004}: MySQL my.cnf user override
{03.11.016} Linux - Update {03.10.025}: zlib gzprintf overflow
{03.11.021} Linux - Update {03.02.020}: KDE parameter mishandling on
            shell commands
{03.11.022} Linux - Gnome-lokkit incorrect FORWARD rule generation
{03.11.026} Linux - Mandrake unrestricted shutdown

 
 
 

Linux is more secure --NOT!

Post by ray » Sat, 22 Mar 2003 17:44:11



> -- Security Alert Consensus --
>                        Number 011 (03.11)
>                   Thursday, March 20, 2003
>                        Created for you by
>             Network Computing and the SANS Institute
>                       Powered by Neohapsis

> ----------------------------------------------------------------------

> Welcome to the latest edition of Security Alert Consensus! Below
> you should find information pertaining only to the categories you
> requested. Information on how to manage your subscription can be found
> at the bottom of the newsletter. If you have any problems or questions,

> -- Security Alert Consensus Team

> ************************************************************************

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1

> TABLE OF CONTENTS:

> {03.11.008} Win - MS03-007: IIS WebDAV URL overflow
> {03.11.023} Win - McAfee ePolicy Orchestrator agent format string
>             vulnerability
> {03.11.001} Linux - Update {03.09.004}: tcpdump ISAKMP DoS
> {03.11.002} Linux - Update {03.10.013}: lprm local buffer overflow
> {03.11.003} Linux - Update {03.09.018}: file utility local overflow
> {03.11.005} Linux - Linux 2.2/2.4 ptrace vulnerability
> {03.11.006} Linux - Update {03.08.017}: Terminal escape sequence
>             vulnerabilities
> {03.11.007} Linux - Update {03.09.017}: NetPBM multiple vulnerabilities
> {03.11.015} Linux - Update {03.10.004}: MySQL my.cnf user override
> {03.11.016} Linux - Update {03.10.025}: zlib gzprintf overflow
> {03.11.021} Linux - Update {03.02.020}: KDE parameter mishandling on
>             shell commands
> {03.11.022} Linux - Gnome-lokkit incorrect FORWARD rule generation
> {03.11.026} Linux - Mandrake unrestricted shutdown

It actually doesn't matter whether Linux is "more secure" or not. The
fact is that there are far fewer attacks directed at Linux - hence it is
more secure in actual use.

 
 
 

Linux is more secure --NOT!

Post by WarpKa » Sat, 22 Mar 2003 17:55:06



> TABLE OF CONTENTS:

> {03.11.008} Win - MS03-007: IIS WebDAV URL overflow
> {03.11.023} Win - McAfee ePolicy Orchestrator agent format string
>             vulnerability
> {03.11.001} Linux - Update {03.09.004}: tcpdump ISAKMP DoS
> {03.11.002} Linux - Update {03.10.013}: lprm local buffer overflow
> {03.11.003} Linux - Update {03.09.018}: file utility local overflow
> {03.11.005} Linux - Linux 2.2/2.4 ptrace vulnerability
> {03.11.006} Linux - Update {03.08.017}: Terminal escape sequence
>             vulnerabilities
> {03.11.007} Linux - Update {03.09.017}: NetPBM multiple vulnerabilities
> {03.11.015} Linux - Update {03.10.004}: MySQL my.cnf user override
> {03.11.016} Linux - Update {03.10.025}: zlib gzprintf overflow
> {03.11.021} Linux - Update {03.02.020}: KDE parameter mishandling on
>             shell commands
> {03.11.022} Linux - Gnome-lokkit incorrect FORWARD rule generation
> {03.11.026} Linux - Mandrake unrestricted shutdown

Ok, now tell us how many of them have been exploited vs. the vulnerabilities
in Windows.

I'm willing to bet you'll recant your subject.

 
 
 

Linux is more secure --NOT!

Post by Erik Funkenbusc » Sat, 22 Mar 2003 18:39:32




>> -- Security Alert Consensus --
>>                        Number 011 (03.11)
>>                   Thursday, March 20, 2003
>>                        Created for you by
>>             Network Computing and the SANS Institute
>>                       Powered by Neohapsis

>> ----------------------------------------------------------------------

>> Welcome to the latest edition of Security Alert Consensus! Below
>> you should find information pertaining only to the categories you
>> requested. Information on how to manage your subscription can be found
>> at the bottom of the newsletter. If you have any problems or questions,

>> -- Security Alert Consensus Team

>> ************************************************************************

>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1

>> TABLE OF CONTENTS:

>> {03.11.008} Win - MS03-007: IIS WebDAV URL overflow
>> {03.11.023} Win - McAfee ePolicy Orchestrator agent format string
>>             vulnerability
>> {03.11.001} Linux - Update {03.09.004}: tcpdump ISAKMP DoS
>> {03.11.002} Linux - Update {03.10.013}: lprm local buffer overflow
>> {03.11.003} Linux - Update {03.09.018}: file utility local overflow
>> {03.11.005} Linux - Linux 2.2/2.4 ptrace vulnerability
>> {03.11.006} Linux - Update {03.08.017}: Terminal escape sequence
>>             vulnerabilities
>> {03.11.007} Linux - Update {03.09.017}: NetPBM multiple vulnerabilities
>> {03.11.015} Linux - Update {03.10.004}: MySQL my.cnf user override
>> {03.11.016} Linux - Update {03.10.025}: zlib gzprintf overflow
>> {03.11.021} Linux - Update {03.02.020}: KDE parameter mishandling on
>>             shell commands
>> {03.11.022} Linux - Gnome-lokkit incorrect FORWARD rule generation
>> {03.11.026} Linux - Mandrake unrestricted shutdown

> It actually doesn't matter whether Linux is "more secure" or not. The
> fact is that there are far fewer attacks directed at Linux - hence it is
> more secure in actual use.

So, because nobody burglarizes your unlocked home, your home is more
secure???
 
 
 

Linux is more secure --NOT!

Post by Erik Funkenbusc » Sat, 22 Mar 2003 18:41:02




>> TABLE OF CONTENTS:

>> {03.11.008} Win - MS03-007: IIS WebDAV URL overflow
>> {03.11.023} Win - McAfee ePolicy Orchestrator agent format string
>>             vulnerability
>> {03.11.001} Linux - Update {03.09.004}: tcpdump ISAKMP DoS
>> {03.11.002} Linux - Update {03.10.013}: lprm local buffer overflow
>> {03.11.003} Linux - Update {03.09.018}: file utility local overflow
>> {03.11.005} Linux - Linux 2.2/2.4 ptrace vulnerability
>> {03.11.006} Linux - Update {03.08.017}: Terminal escape sequence
>>             vulnerabilities
>> {03.11.007} Linux - Update {03.09.017}: NetPBM multiple vulnerabilities
>> {03.11.015} Linux - Update {03.10.004}: MySQL my.cnf user override
>> {03.11.016} Linux - Update {03.10.025}: zlib gzprintf overflow
>> {03.11.021} Linux - Update {03.02.020}: KDE parameter mishandling on
>>             shell commands
>> {03.11.022} Linux - Gnome-lokkit incorrect FORWARD rule generation
>> {03.11.026} Linux - Mandrake unrestricted shutdown

> Ok, now tell us how many of them have been exploited vs. the vulnerabilities
> in Windows.

> I'm willing to bet you'll recant your subject.

Wrong attitude.  Security is about how *VULNERABLE* you are, not about how
often you get exploited.
 
 
 

Linux is more secure --NOT!

Post by cybea » Sat, 22 Mar 2003 18:47:53


Snip meanless list. (not enough info. Gotta URL that people can check?)

My guess they are all patched or have fixes. Unlike MS software with 14 (3
more than you listed for Linux) unpatched security vunerabilities in ONE
package alone.

http://www.pivx.com/larholm/unpatched/

 
 
 

Linux is more secure --NOT!

Post by cybea » Sat, 22 Mar 2003 18:52:02





>>> TABLE OF CONTENTS:

>>> {03.11.008} Win - MS03-007: IIS WebDAV URL overflow
>>> {03.11.023} Win - McAfee ePolicy Orchestrator agent format string
>>>             vulnerability
>>> {03.11.001} Linux - Update {03.09.004}: tcpdump ISAKMP DoS
>>> {03.11.002} Linux - Update {03.10.013}: lprm local buffer overflow
>>> {03.11.003} Linux - Update {03.09.018}: file utility local overflow
>>> {03.11.005} Linux - Linux 2.2/2.4 ptrace vulnerability
>>> {03.11.006} Linux - Update {03.08.017}: Terminal escape sequence
>>>             vulnerabilities
>>> {03.11.007} Linux - Update {03.09.017}: NetPBM multiple vulnerabilities
>>> {03.11.015} Linux - Update {03.10.004}: MySQL my.cnf user override
>>> {03.11.016} Linux - Update {03.10.025}: zlib gzprintf overflow
>>> {03.11.021} Linux - Update {03.02.020}: KDE parameter mishandling on
>>>             shell commands
>>> {03.11.022} Linux - Gnome-lokkit incorrect FORWARD rule generation
>>> {03.11.026} Linux - Mandrake unrestricted shutdown

>> Ok, now tell us how many of them have been exploited vs. the
>> vulnerabilities in Windows.

>> I'm willing to bet you'll recant your subject.

> Wrong attitude.  Security is about how *VULNERABLE* you are, not about how
> often you get exploited.

You bet. From what I can tell all of these have patches of fixes. But MS
code? 14 UNPATCHED (leaving you *VULNERABLE*) security holes in a SINGLE
application! Like you said "Security is about how *VULNERABLE* you are".
And with MS's attitude to security, I would say that MS users are VERY
vulnerable.
 
 
 

Linux is more secure --NOT!

Post by Bo Grime » Sat, 22 Mar 2003 19:33:13



> Wrong attitude.  Security is about how *VULNERABLE* you are, not about how
> often you get exploited.

Oh crap!  I hope TG doesn't see this or we'll have another round of "It's
over; your side lost; deal with it."

Funny thing you didn't tell him that but you'll tell a Linux advocate that.  
Must have something to do with wanting to like Linux.

--
Bo G
"Mankind does nothing save through initiatives on the part of inventors,
great or small, and imitation by the rest of us. Individuals show the way,
set the patterns.  The rivalry of the patterns is the history of the
world." (William James)  Linus is just such an inventor; Linux is just such
a pattern.

 
 
 

Linux is more secure --NOT!

Post by Bo Grime » Sat, 22 Mar 2003 19:44:07



> -- Security Alert Consensus --
>                        Number 011 (03.11)
>                   Thursday, March 20, 2003
>                        Created for you by
>             Network Computing and the SANS Institute
>                       Powered by Neohapsis

> ----------------------------------------------------------------------

> Welcome to the latest edition of Security Alert Consensus! Below
> you should find information pertaining only to the categories you
> requested. Information on how to manage your subscription can be found
> at the bottom of the newsletter. If you have any problems or questions,

> -- Security Alert Consensus Team

> ************************************************************************

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1

> TABLE OF CONTENTS:

> {03.11.008} Win - MS03-007: IIS WebDAV URL overflow
> {03.11.023} Win - McAfee ePolicy Orchestrator agent format string
>             vulnerability
> {03.11.001} Linux - Update {03.09.004}: tcpdump ISAKMP DoS
> {03.11.002} Linux - Update {03.10.013}: lprm local buffer overflow
> {03.11.003} Linux - Update {03.09.018}: file utility local overflow
> {03.11.005} Linux - Linux 2.2/2.4 ptrace vulnerability
> {03.11.006} Linux - Update {03.08.017}: Terminal escape sequence
>             vulnerabilities
> {03.11.007} Linux - Update {03.09.017}: NetPBM multiple vulnerabilities
> {03.11.015} Linux - Update {03.10.004}: MySQL my.cnf user override
> {03.11.016} Linux - Update {03.10.025}: zlib gzprintf overflow
> {03.11.021} Linux - Update {03.02.020}: KDE parameter mishandling on
>             shell commands
> {03.11.022} Linux - Gnome-lokkit incorrect FORWARD rule generation
> {03.11.026} Linux - Mandrake unrestricted shutdown

Some of those are distro or desktop specific which doesn't make them Linux
issues per se.  Others, like MySQL don't apply to people, like me, not
running it.  Same for theMcAfee one I assume.

You list actually says nothing about either Windows or Linux.  It says
nothing about the seriousness of any of the issues.  To use Erik's analogy,
if you leave your house unlocked you're home is not secure, but you are
more at risk if an armed drug * walks in while you're at home than you
are if am unarmed jewel thief walks in when you're away.

Without some sort of context, and a list that doesn't include app, distro or
desktop specific vunerabilities, your list is meaningless.

--
Bo G
"Mankind does nothing save through initiatives on the part of inventors,
great or small, and imitation by the rest of us. Individuals show the way,
set the patterns.  The rivalry of the patterns is the history of the
world." (William James)  Linus is just such an inventor; Linux is just such
a pattern.

 
 
 

Linux is more secure --NOT!

Post by Dave Leig » Sat, 22 Mar 2003 21:18:56


ray wrote on Friday 21 March 2003 10:44 in message

Quote:> It actually doesn't matter whether Linux is "more secure" or not. The
> fact is that there are far fewer attacks directed at Linux - hence it is
> more secure in actual use.

Weak answer. You don't simply trust that crackers will pass over you.  

Linux is "more secure" when you use published advisories to disable or
configure apps and daemons to close vulnerabilities until they are quickly
patched by the maintainers.

--
Dave Leigh, Consulting Systems Analyst
Cratchit.org

 
 
 

Linux is more secure --NOT!

Post by GreyClou » Sat, 22 Mar 2003 20:57:12





> >> -- Security Alert Consensus --
> >>                        Number 011 (03.11)
> >>                   Thursday, March 20, 2003
> >>                        Created for you by
> >>             Network Computing and the SANS Institute
> >>                       Powered by Neohapsis

> >> ----------------------------------------------------------------------

> >> Welcome to the latest edition of Security Alert Consensus! Below
> >> you should find information pertaining only to the categories you
> >> requested. Information on how to manage your subscription can be found
> >> at the bottom of the newsletter. If you have any problems or questions,

> >> -- Security Alert Consensus Team

> >> ************************************************************************

> >> -----BEGIN PGP SIGNED MESSAGE-----
> >> Hash: SHA1

> >> TABLE OF CONTENTS:

> >> {03.11.008} Win - MS03-007: IIS WebDAV URL overflow
> >> {03.11.023} Win - McAfee ePolicy Orchestrator agent format string
> >>             vulnerability
> >> {03.11.001} Linux - Update {03.09.004}: tcpdump ISAKMP DoS
> >> {03.11.002} Linux - Update {03.10.013}: lprm local buffer overflow
> >> {03.11.003} Linux - Update {03.09.018}: file utility local overflow
> >> {03.11.005} Linux - Linux 2.2/2.4 ptrace vulnerability
> >> {03.11.006} Linux - Update {03.08.017}: Terminal escape sequence
> >>             vulnerabilities
> >> {03.11.007} Linux - Update {03.09.017}: NetPBM multiple vulnerabilities
> >> {03.11.015} Linux - Update {03.10.004}: MySQL my.cnf user override
> >> {03.11.016} Linux - Update {03.10.025}: zlib gzprintf overflow
> >> {03.11.021} Linux - Update {03.02.020}: KDE parameter mishandling on
> >>             shell commands
> >> {03.11.022} Linux - Gnome-lokkit incorrect FORWARD rule generation
> >> {03.11.026} Linux - Mandrake unrestricted shutdown

> > It actually doesn't matter whether Linux is "more secure" or not. The
> > fact is that there are far fewer attacks directed at Linux - hence it is
> > more secure in actual use.

> So, because nobody burglarizes your unlocked home, your home is more
> secure???

Sounds more like you are describing winXP than anything
else.
 
 
 

Linux is more secure --NOT!

Post by GreyClou » Sat, 22 Mar 2003 20:59:14





> >> TABLE OF CONTENTS:

> >> {03.11.008} Win - MS03-007: IIS WebDAV URL overflow
> >> {03.11.023} Win - McAfee ePolicy Orchestrator agent format string
> >>             vulnerability
> >> {03.11.001} Linux - Update {03.09.004}: tcpdump ISAKMP DoS
> >> {03.11.002} Linux - Update {03.10.013}: lprm local buffer overflow
> >> {03.11.003} Linux - Update {03.09.018}: file utility local overflow
> >> {03.11.005} Linux - Linux 2.2/2.4 ptrace vulnerability
> >> {03.11.006} Linux - Update {03.08.017}: Terminal escape sequence
> >>             vulnerabilities
> >> {03.11.007} Linux - Update {03.09.017}: NetPBM multiple vulnerabilities
> >> {03.11.015} Linux - Update {03.10.004}: MySQL my.cnf user override
> >> {03.11.016} Linux - Update {03.10.025}: zlib gzprintf overflow
> >> {03.11.021} Linux - Update {03.02.020}: KDE parameter mishandling on
> >>             shell commands
> >> {03.11.022} Linux - Gnome-lokkit incorrect FORWARD rule generation
> >> {03.11.026} Linux - Mandrake unrestricted shutdown

> > Ok, now tell us how many of them have been exploited vs. the vulnerabilities
> > in Windows.

> > I'm willing to bet you'll recant your subject.

> Wrong attitude.  Security is about how *VULNERABLE* you are, not about how
> often you get exploited.

Guffaw!!  If you get exploited then you have no security.
Seeing that the many gov. websites are getting the *
hacked out of them at this point in time shows how M$ is not
secure.
 
 
 

Linux is more secure --NOT!

Post by Dave Leig » Sat, 22 Mar 2003 21:54:20


Erik Funkenbusch wrote on Friday 21 March 2003 11:41 in message

Quote:> Wrong attitude.??Security?is?about?how?VULNERABLE?you?are,?not?about?how
> often you get exploited.

Deja Vu. ;)  
I agree completely.

--
Dave Leigh, Consulting Systems Analyst
Cratchit.org

 
 
 

1. Secure Secure Secure

O.k...
So...
Rookie question here...
We are running Red Hat Linux and have setup our DNS box and Web Servers,

All is well.
Now.....We want to be able to run Secure web sites on this system and do
not have the slightest clue as to how to do it.
I have been told I have to find some "hard to get version of Apache"
that supports 128 bit encryption...
Basically...
what do I need to do to be able to host secure web sites.
Buy a site certificate?........Where?
What software do we need.?
Can we do this just using cgi scripts?
Any suggestions ????

Please....if you are able to clarify this whole secure site thing...drop
me an e mail at

I will really appreciate it.....

thanks in advance..

Brian

2. background jobs in csh

3. Am i secure?

4. RedHat & NS Geode GX1

5. Am I secure with ipchains and TCP WRAPPERS??

6. 2.4.7 tmpfs strange behaviour

7. How secure am I really??

8. linux web server

9. How secure am I?

10. Not a Linux problem but am desperate

11. is Secure linux secure?

12. I am not able to compile Emacs 19.25 under Linux anymore

13. New to Linux, and I am not satisfied.